You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After upgrading to Backstage 1.16 we still have a critical vulnerabiity for tough-cookie 2.5.0. When we trace it through
yarn why tough-cookie
we see that the 2.5.0 version is being referenced in 2 places like below:
yarn why tough-cookie
yarn why v1.22.17
[1/4] Why do we have the module "tough-cookie"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "tough-cookie@2.5.0"
info Has been hoisted to "tough-cookie"
info Reasons this module exists
"workspace-aggregator-29dc2367-ed34-4cdd-ae81-ed1b0258236e" depends on it
**- Hoisted from "project#app#cypress#@cypress#request#tough-cookie"
Hoisted from "project#backend#@backstage#backend-common#@kubernetes#client-node#request#tough-cookie"**
info Disk size without dependencies: "104KB"
info Disk size with unique dependencies: "620KB"
info Disk size with transitive dependencies: "620KB"
info Number of shared dependencies: 2
=> Found "jsdom#tough-cookie@4.1.3"
info This module exists because "project#@backstage#cli#jest-environment-jsdom#jsdom" depends on it.
info Disk size without dependencies: "132KB"
info Disk size with unique dependencies: "744KB"
info Disk size with transitive dependencies: "788KB"
info Number of shared dependencies: 5
=> Found "isomorphic-dompurify#tough-cookie@4.1.3"
info Reasons this module exists
"project#app#@backstage#plugin-api-docs#@asyncapi#react-component#isomorphic-dompurify#jsdom" depends on it
Hoisted from "project#app#@backstage#plugin-api-docs#@asyncapi#react-component#isomorphic-dompurify#jsdom#tough-cookie"
info Disk size without dependencies: "132KB"
info Disk size with unique dependencies: "744KB"
info Disk size with transitive dependencies: "788KB"
info Number of shared dependencies: 5
Done in 1.57s.
Cypress and @backstage/backend-common. Can some one tell us how to make these modules use the latest tough-cookie v4.1.3? Or is this something that needs an update the owners of Cypress and @backstage/backend-common modules?
👍 Expected behavior
Cypress and @backstage/backend-common should include the latest version of tough-cookie as a dependency
👎 Actual Behavior with Screenshots
Cypress and @backstage/backend-common includes the latest a vulnerable version of tough-cookie (2.5.0) as a dependency
👟 Reproduction steps
In the project, run
yarn audit
yarn why tough-cookie
📃 Provide the context for the Bug.
Tried upgrading backstage to the latest 1.16 version
🖥️ Your Environment
No response
👀 Have you spent some time to check if this bug has been raised before?
bbasu
changed the title
🐛 Bug Report: <title>
🐛 Bug Report: Backstage 1.16 have a critical vulnerability for tough-cookie 2.5.0 in Cypress and @backstage/backend-common modules
Jul 28, 2023
Hi @bbasu, in this case this is not a direct dependency of Backstage packages but of other packages used by Backstage. In this case you there are tools like Renovate, Dependabot, or Snyk that would help identify and upgrade for you.
We're bringing in a vulnerable version of tough-cookie due to @kubernetes/client-node, which in turn depends on the deprecated request package. There's a migration ongoing: kubernetes-client/javascript#754.
The latest version of jsdom no longer depends on a vulnerable version of tough-cookie, so you'll be able to bump that version on your end.
I would imagine that there's no actual expose to the vulnerability in tough-cookie in practice, as it seems to be related only to the cookie jar, and I'd be surprised if that was used in @kubernetes/client-node. It's not something I've verified though.
📜 Description
After upgrading to Backstage 1.16 we still have a critical vulnerabiity for tough-cookie 2.5.0. When we trace it through
we see that the 2.5.0 version is being referenced in 2 places like below:
yarn why tough-cookie
yarn why v1.22.17
[1/4] Why do we have the module "tough-cookie"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "tough-cookie@2.5.0"
info Has been hoisted to "tough-cookie"
info Reasons this module exists
**- Hoisted from "project#app#cypress#@cypress#request#tough-cookie"
info Disk size without dependencies: "104KB"
info Disk size with unique dependencies: "620KB"
info Disk size with transitive dependencies: "620KB"
info Number of shared dependencies: 2
=> Found "jsdom#tough-cookie@4.1.3"
info This module exists because "project#@backstage#cli#jest-environment-jsdom#jsdom" depends on it.
info Disk size without dependencies: "132KB"
info Disk size with unique dependencies: "744KB"
info Disk size with transitive dependencies: "788KB"
info Number of shared dependencies: 5
=> Found "isomorphic-dompurify#tough-cookie@4.1.3"
info Reasons this module exists
info Disk size without dependencies: "132KB"
info Disk size with unique dependencies: "744KB"
info Disk size with transitive dependencies: "788KB"
info Number of shared dependencies: 5
Done in 1.57s.
Cypress and @backstage/backend-common. Can some one tell us how to make these modules use the latest tough-cookie v4.1.3? Or is this something that needs an update the owners of Cypress and @backstage/backend-common modules?
👍 Expected behavior
Cypress and @backstage/backend-common should include the latest version of tough-cookie as a dependency
👎 Actual Behavior with Screenshots
Cypress and @backstage/backend-common includes the latest a vulnerable version of tough-cookie (2.5.0) as a dependency
👟 Reproduction steps
In the project, run
📃 Provide the context for the Bug.
Tried upgrading backstage to the latest 1.16 version
🖥️ Your Environment
No response
👀 Have you spent some time to check if this bug has been raised before?
🏢 Have you read the Code of Conduct?
Are you willing to submit PR?
Yes I am willing to submit a PR!
The text was updated successfully, but these errors were encountered: